SD Times Blog: Gotta catch ‘em all (safely and securely)

While you are trying to catch ‘em all, Pokémon Go is catching all your data. According to security researchers, the increasingly popular mobile application is posing a huge security risk to users.

The problem is that in order to play, you need to sign in through your pokemon.com or Google account, giving the application full access to your Gmail, Google Drive, Google Calendar and more.

“I don’t recommend people using their primary Gmail address to integrate with the game because it does grant full access,” said Jordan Edelson, founder and CEO of Appetizer Mobile, a mobile development company. “Personally, when I signed up for this, I used a different e-mail. If people want to play and access the game, I recommend registering for a new Gmail account that is specifically there for gaming purposes. Unfortunately, at this time the game doesn’t allow users to change their e-mail address on file, but that may change down the line.”

The company behind the app, Niantic, is currently working on addressing the issue. In a statement obtained by Polygon, a gaming information and news website, the company wrote: “We recently discovered that the Pokémon GO account creation process on iOS erroneously requests full access permission for the user’s Google account. However, Pokémon GO only accesses basic Google profile information (specifically, your User ID and e-mail address) and no other Google account information is or has been accessed or collected. Once we became aware of this error, we began working on a client-side fix to request permission for only basic Google profile information, in line with the data that we actually access. Google has verified that no other information has been received or accessed by Pokémon GO or Niantic. Google will soon reduce Pokémon GO’s permission to only the basic profile data that Pokémon GO needs, and users do not need to take any actions themselves.”

This should teach users a lesson on the amount of access they give their applications. In a world where our lives are more digital than ever, we need to be careful about the information that we make accessible. Just because Pokémon Go is a widely played game, that doesn’t mean it’s necessarily safe or that you can trust it. Giving complete access to something like your Google account could enable an application to access your e-mail, read your e-mail, send e-mail, access your documents, look at your search and Maps navigation history, view private photos, and more, according to Adam Reeve, principal architect at RedOwl. Read the fine print and be careful about the applications you choose to download.